Lector de Feeds

Publication date: 09 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-31133 , CVE-2025-52565 , CVE-2025-52881 Description The way masked paths are implemented in runc can be exploited to cause the host system to crash or halt (CVE-2025-31133) and a flaw in /dev/console bind-mounts can lead to container escape (CVE-2025-52565). Also, arbitrary write gadgets and procfs write redirects could be used to engineer container escape and denial of service (CVE-2025-52881). References

• https://bugs.mageia.org/show_bug.cgi?id=34719
• https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
• https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
• https://www.openwall.com/lists/oss-security/2025/11/05/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31133
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52565
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52881

SRPMS 9/core

• opencontainers-runc-1.2.8-2.1.mga9

Publication date: 09 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-31143 , CVE-2024-31144 , CVE-2024-31145 , CVE-2024-31146 , CVE-2024-45817 , CVE-2024-45818 , CVE-2024-45819 , CVE-2024-53240 , CVE-2024-53241 , CVE-2025-1713 , CVE-2024-28956 , CVE-2025-27462 , CVE-2025-27463 , CVE-2025-27464 , CVE-2025-27465 , CVE-2024-36350 , CVE-2024-36357 Description Double unlock in x86 guest IRQ handling. (CVE-2024-31143) Xapi: Metadata injection attack against backup/restore functionality. (CVE-2024-31144) Error handling in x86 IOMMU identity mapping. (CVE-2024-31145) PCI device pass-through with shared resources. (CVE-2024-31146) x86: Deadlock in vlapic_error(). (CVE-2024-45817) Deadlock in x86 HVM standard VGA handling. (CVE-2024-45818) libxl leaks data to PVH guests via ACPI tables. (CVE-2024-45819) Backend can crash Linux netfront. (CVE-2024-53240) Xen hypercall page unsafe against speculative attacks. (CVE-2024-53241) Deadlock potential with VT-d and legacy PCI device pass-through. (CVE-2025-1713) x86: Indirect Target Selection. (CVE-2024-28956) x86: Incorrect stubs exception handling for flags recovery. (CVE-2025-27465) TSA-SQ (TSA in the Store Queues). (CVE-2024-36350) TSA-L1 (TSA in the L1 data cache). (CVE-2024-36357) A NULL pointer dereference in the updating of the reference TSC area. (CVE-2025-27466) A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. (CVE-2025-58142) A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. (CVE-2025-58143) An assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. (CVE-2025-58144) The P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. (CVE-2025-58145) XAPI UTF-8 string handling. (CVE-2025-58146) Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. (CVE-2025-58147) Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.(CVE-2025-58148) Incorrect removal of permissions on PCI device unplug. (CVE-2025-58149) References

• https://bugs.mageia.org/show_bug.cgi?id=33401
• https://www.openwall.com/lists/oss-security/2024/07/16/3
• https://www.openwall.com/lists/oss-security/2024/07/16/4
• https://www.openwall.com/lists/oss-security/2024/08/14/2
• https://www.openwall.com/lists/oss-security/2024/08/14/3
• https://www.openwall.com/lists/oss-security/2024/09/24/1
• https://www.openwall.com/lists/oss-security/2024/11/12/2
• https://www.openwall.com/lists/oss-security/2024/11/12/1
• https://www.openwall.com/lists/oss-security/2024/12/17/1
• https://www.openwall.com/lists/oss-security/2024/12/17/2
• https://www.openwall.com/lists/oss-security/2025/02/27/1
• https://www.openwall.com/lists/oss-security/2025/05/12/4
• https://www.openwall.com/lists/oss-security/2025/05/12/5
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KEACKX57LEHS2YKZ4PO5DYNOQRGQSDO2/
• https://www.openwall.com/lists/oss-security/2025/05/27/1
• https://www.openwall.com/lists/oss-security/2025/07/01/1
• https://www.openwall.com/lists/oss-security/2025/07/08/2
• https://www.openwall.com/lists/oss-security/2025/08/28/2
• https://www.openwall.com/lists/oss-security/2025/09/09/1
• https://www.openwall.com/lists/oss-security/2025/09/09/2
• https://www.openwall.com/lists/oss-security/2025/09/09/3
• https://www.openwall.com/lists/oss-security/2025/10/21/1
• https://www.openwall.com/lists/oss-security/2025/10/24/1
• https://www.openwall.com/lists/oss-security/2025/11/05/4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31143
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31144
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31145
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31146
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45817
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45818
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45819
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53240
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53241
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1713
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28956
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27462
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27463
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27464
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27465
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36350
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36357

SRPMS 9/core

• xen-4.17.5-1.git20251028.1.mga9

Publication date: 09 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-49794 , CVE-2025-49795 , CVE-2025-49796 , CVE-2025-6021 , CVE-2025-6170 , CVE-2025-7424 , CVE-2025-7425 Description Heap use after free (UAF) leads to Denial of service (DoS). (CVE-2025-49794) Null pointer dereference leads to Denial of service (DoS). (CVE-2025-49795) Type confusion leads to Denial of service (DoS). (CVE-2025-49796) Integer Overflow Leading to Buffer Overflow in xmlBuildQName(). (CVE-2025-6021) Stack-based Buffer Overflow in xmllint Shell. (CVE-2025-6170) Type confusion in xmlNode.psvi between stylesheet and source nodes. (CVE-2025-7424) Heap-use-after-free in xmlFreeID caused by `atype` corruption. (CVE-2025-7425) References

• https://bugs.mageia.org/show_bug.cgi?id=34378
• https://www.openwall.com/lists/oss-security/2025/06/16/6
• https://www.openwall.com/lists/oss-security/2025/07/11/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49794
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49795
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49796
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6021
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6170
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-7424
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-7425

SRPMS 9/core

• libxml2-2.10.4-1.8.mga9
• libxslt-1.1.38-1.2.mga9

Publication date: 09 Nov 2025
Type: bugfix
Affected Mageia releases : 9
Description Changes in arte.tv make the current version of qrte fail to work. This update fixes the issue. Errata: the package's changelog makes reference to an invalid bug number. References

• https://bugs.mageia.org/show_bug.cgi?id=34703
• https://bugs.launchpad.net/qarte/+bug/2129714

SRPMS 9/core

• qarte-5.14.0-1.mga9

← Older revision Revision as of 17:26, 8 November 2025 (2 intermediate revisions by the same user not shown)Line 40: Line 40:    $ ls   $ ls    $ less <filename>   $ less <filename> −will show them locally. (The extra final ID... line is not our affair). Here is a typical security example:+will show them locally. The last line, starting with ID: is generated by the system that pushes updates from the testing to the updates repositories. The line is added to local copy of the advisory the first time 'svn up' is run after the update has been pushed. Here is a typical security example:  <pre> <pre>  type: security type: security Line 109: Line 109:     The following command should then work : The following command should then work :  +<pre>    $ svn ls svn+ssh://svn.mageia.org/svn/advisories/   $ svn ls svn+ssh://svn.mageia.org/svn/advisories/ − +</pre>  It is recommended to add a config for ssh, in ~/.ssh, so that it always automatically associates the MageiaUser with svn.mageia.org. It is recommended to add a config for ssh, in ~/.ssh, so that it always automatically associates the MageiaUser with svn.mageia.org.  Create ''~/.ssh/config'' with this inside it: Create ''~/.ssh/config'' with this inside it: Davidwhodgins

← Older revision Revision as of 19:36, 7 November 2025 (One intermediate revision by the same user not shown)Line 57: Line 57:    | Marja van Waes || marja || marja11 [at] freedom [dot] nl|| || '''Deputy''' ||   | Marja van Waes || marja || marja11 [at] freedom [dot] nl|| || '''Deputy''' ||    |-   |- −  | José Alberto Valle Cid || kanatek || j.alberto.vc@gmail.com  ||  ||  ||+  | José Alberto Valle Cid || katnatek || j.alberto.vc [at] gmail [dot] com  ||  ||  ||    |-   |- −  | Roelof Wobben || RoelofW || r.wobben@home.nl ||  ||  ||+  | Frank Sturm || sturmvogel || sturm-fr [at] web [dot] de ||  ||  ||  + |-  + | Frank Griffin || ftg || ftg [at] roadrunner [dot] com ||  ||  ||  |} |}    Lewyssmith

Publication date: 07 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-53057 , CVE-2025-53066 Description Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. (CVE-2025-53057) Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. (CVE-2025-53066) References

• https://bugs.mageia.org/show_bug.cgi?id=34697
• https://access.redhat.com/errata/RHSA-2025:18815
• https://access.redhat.com/errata/RHSA-2025:18818
• https://access.redhat.com/errata/RHSA-2025:18821
• https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixJAVA
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53057
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53066

SRPMS 9/core

• java-1.8.0-openjdk-1.8.0.472.b08-1.mga9
• java-11-openjdk-11.0.29.0.7-1.mga9
• java-17-openjdk-17.0.17.0.10-1.mga9
• java-latest-openjdk-25.0.1.0.8-1.rolling.1.mga9

Publication date: 07 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6965 Description Integer Truncation on SQLite. (CVE-2025-6965) References

• https://bugs.mageia.org/show_bug.cgi?id=34626
• https://www.openwall.com/lists/oss-security/2025/09/06/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6965

SRPMS 9/core

• sqlite3-3.40.1-1.3.mga9